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1 Motivation 

Since the first termination competition 1 in 2004 it is of great interest, whether a proof — that has been 
automatically generated by a termination tool — is indeed correct. The increasing number of termination 
proving techniques as well as the increasing complexity of generated proofs (e.g., combinations of several 
techniques, exhaustive labelings, tree automata, etc.), make certifying (i.e., checking the correctness of) 
such proofs more and more tedious for humans. Hence the interest in automated certification of termina- 
tion proofs. This led to the general approach of using proof assistants (like Coq [2] and Isabelle [12]) for 
■ certification. At the time of this writing, we are aware of the two combinations Coccinelle/G'ME [4, 5] 

and CoLoR/Rainbow [3], Here Coccinelle and CoLoR are Coq libraries, formalizing rewriting theory. 
\ Then Cz'ME as well as Rainbow are used to transform XML proof trees into Coq proofs which heavily 

rely on those libraries. Hence if you want to certify a proof you need a termination tool that produces 
^ appropriate XML output, a converter (C/ME or Rainbow), a local Coq installation, and the appropriate 

^ | library (Coccinelle or CoLoR). 

In this paper we present the latest developments for the new combination IsaFoR/CeTA [13] (ver- 
sion 1.03). Note that the system design has two major differences in comparison to the two existing 
ones. Firstly, our library IsaFoR {Isabelle Formalization of Rewriting) is written for the theorem prover 
Isabel le/HOL and not for Coq. Secondly, and more important, instead of generating for each proof tree 
a new proof, using an auxiliary tool, our library contains several executable check-functions. Here, ex- 
q ! ecutable means that it is possible to automatically obtain a functional program (e.g., in Haskell), using 

Isabelle's code generation facilities [8]. For each termination technique that we have implemented in 
IsaFoR, we have formally proven that whenever such a check is accepted, the termination technique is 
applied correctly. Hence, we do not need to create an individual Isabelle proof for each proof tree, but 
just call the check-function for checking the whole tree (which does nothing else but calling the separate 
I/"") ■ checks for each termination technique occurring in the tree). Additionally, our functions deliver error 

messages that are using notions of term rewriting (in contrast to error messages from a proof assistant 
that are not easily understandable for the novice). Furthermore, IsaFoR contains a functional parser that 
^ ■ accepts XML proof trees. Since even this parser is written in Isabelle, we can freely choose for which 

programming language we want to generate code (Isabelle currently supports Haskell, OCaml, and SML). 
At the moment we generate Haskell code, resulting in our certifier CeTA {Certified Termination Analysis). 
However, for a user of CeTA it will make no difference if it was compiled from Haskell sources or OCaml 
sources. 

To certify a proof using CeTA, you just need a CeTA binary plus a termination tool that is able to 
print the appropriate XML proof tree. Moreover, the runtime of certification is reduced significantly. 
Whereas it took the other two approaches more than one hour to certify all proofs during the last certified 
termination competition, CeTA needs about two minutes for all examples, the average time per system 
being 0.14 seconds. Note that CeTA can also be used for modular certification. Each single application 
of a termination technique can be certified by just calling the corresponding Haskell function. Another 
benefit of our system is its robustness. Every proof which uses weaker techniques than those formalized 
in IsaFoR is accepted. For example, termination pro vers can use the simple graph estimation of [1], as it 
is subsumed by our estimation. 

IsaFoR, CeTA, and all details about our experiments are available at CeTA's website. 2 



"This project is supported by FWF (Austrian Science Fund) project P18763. 
'http : //termination-portal . org/wiki/Termination_Competition 
"http : //cl-inf ormatik .uibk. ac . at/ software/ ceta 
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2 Supported Techniques 

Currently, CeTA features certifying proofs for term rewrite systems (TRSs), i.e., the initial problem is 
always, whether a given TRS TZ is terminating or not. Hence on the outermost level of a proof we 
distinguish between termination and nontermination. 

Termination. There are already several techniques for certifying termination proofs. Those techniques 
can be categorized as follows: 

1. A trivial proof (for empty TZ). 

2. Removing some rules TZ' from TZ such that termination oiTZ\TZ' implies termination of TZ [7]. 

3. Switching to the dependency pair (DP) framework by applying the DP transformation, resulting in 
the initial DP problem {DP{K),K). 

In case 2, monotone linear polynomial interpretations over the naturals are supported. For 3, the follow- 
ing processors are available to prove finiteness of a DP problem (V,TZ): 

Empty V: Emptiness of the P-component of a DP problem implies that the problem is finite. 

Dependency Graph: We support a dependency graph estimation that is based on a combination of [6] 
and [9] (using the function tcap). We call this estimation EDG***. After the estimated graph is 
computed, (V,1Z) is split into the new DP problems (V\,TZ), . . . , (P n ,TZ) (one for each strongly 
connected component of the estimated graph). Note that our implementation allows a termination 
tool to use any weaker estimation than EDG***, i.e., any estimation producing a graph which 
contains at least those edges that are present in EDG***. 

Reduction Pair: In the abstract setting of IsaFoR, the notion of reduction pair has been formalized. For 
concrete proofs there are the following instances: 

• Weakly monotone linear polynomial interpretations over the natural numbers with negative 
constants [10]. Those can be used to remove rules from V. Here, only the usable rules [6] — 
w.r.t. the argument filter that is implicit in the reduction pair — have to be oriented. 

• Strictly monotone linear polynomial interpretations over the natural numbers which can be 
used to remove rules from both V and TZ (where TZ can first be reduced to the usable rules). 

Nontermination. For the time being, loops are the only certifiable way of proving nontermination. If a 
TRS is not well-formed (i.e., I £ V or Var(r) <2 Var(Z) for some rule I — > r) the loop is implicit. Otherwise 
a loop is represented by a context C, a substitution a, and terms t\ to t n such that t\ — s- >t n ^ C[tia}. 

3 Use it for Your Termination Prover 

To use CeTA for certifying your own proofs, you need a termination tool that generates appropriate XML 
output plus a CeTA binary (if you want to build CeTA yourself you will still need an Isa belle installation 
and the IsaFoR library, as well as a Haskell compiler). Hence, the main work will be to modify the 
termination tool in order to generate XML. In the following we will first give a short overview of the 
main components that are currently part of our XML format and then show how to call CeTA. 

Example 3.1. As an example consider the structure of a termination proof for TZ, where first a reduction 
pair has been used to reduce it to the TRS TZ'. Afterwards the dependency pairs of TZ' are computed, 
resulting in a DP problem. Then the proof proceeds by applying a dependency graph estimation. 
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<proof > 

<ruleRemoval> 

<redPair>. . .</redPair> 

<trs>7£'</trs> 

<dpTrans> 

<dps>DP(^')</dps> 
<depGraphProc> . . . </depGraphProc> 
</dpTrans> 
</ruleRemoval> 
</proof > 

The XML format is structured such that on the one hand, new components (like DPs after the de- 
pendency pair transformation or the reduction pair processor) are explicitly provided by the user, and 
on the other hand, the user cannot change components which must not be changed (e.g., the TRS when 
applying the DP graph processor). The general structure of proofs is as follows: 

(proof) = <proof> (trsProof )</proof> | <proof> (trsDisproof )</proof> 

(trsProof) = <ruleRemoval> (redPair) (trs) (trsProof) </ruleRemoval> 
| <dpTrans> (dps) (dpProof )</dpTrans> 
<rIsEmpty/> 

(dpProof) = <depGraphProc>(component)*</depGraphProc> 

<redPairUrProc>(redPair) (dps) (usableRules) (dpProof )</redPairUrProc> 
<monoRedPairUrProc>(redPair) (dps) (trs ) (usableRules ) (dpProof) 

</monoRedPairUrProc> 
<pIsEmpty/> 

(redPair) = <redPair> (interpretation )</redPair> 

(interpretation ) = < int erpr et at i on> ( type ) ( domain ) (interpret ) * < / int erpr et at i on> 

(trsDisproof) = <loop>(substitution)(context)(term)*</loop> 
<notWellFormed/> 

For (ruleRemoval) , the component (trs) holds the rules that could only be weakly oriented by the given 
(redPair). For (dpTrans), the dependency pairs are provided by (dps). The list of (component)?, within 
the dependency graph processor denotes all the strongly connected components (including trivial ones 
consisting of a single node without a self-edge) in topological order. For (interpretation) s we currently 
support as (type) only linear polynomials and as (domain) only the natural numbers. (Detailed descrip- 
tions of all the other components can be found on CeTA's website.) 

CeTA is called with two arguments: the first is the problem for which a proof should be certi- 
fied and the second is the corresponding proof. Hence to certify the proof proof .xml for the prob- 
lem problem . xml, CeTA is called as follows: 

$ CeTA problem. xml proof .xml 

The problem and the proof have to be in XML. For the problem the proposed XTC format — that should 
soon replace the TPDB format in the termination competition — is used. 

Before applying a check-function to a given proof, the internal data structure is converted to XML 
and compared to the input string. A proof is only accepted if both are equal modulo whitespace. In this 
way it is ensured that (non)termination of the right TRS is proven. 



3 http: //cl-inf ormat ik . uibk . ac . at/ software/ ceta/xml/ceta.xsd [ . pdf ] 
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4 Results and Future Work 

We ran extensive tests on the 1391 TRSs from version 5.0 of the termination problems data base to 
evaluate the usefulness of CeTA. As termination tool we used TjT2 [11]. 

All tests have been performed on a server equipped with eight dual-core AMD Opteron® 885 proces- 
sors running at a CPU rate of 2.6 GHz on 64 GB of system memory and with a time limit of 60 seconds 
for each TRS. The results can be seen in the following table (where times are given in seconds and 
(proof-)sizes in kilobytes). 





YES 


NO 


CeTA 




# time (avg.) 


# time (avg.) 


# time (avg.) size (avg.) 


T T T 2 


572 460 (0.80) 


214 147 (0.68) 


786 114(0.14) 41,145 (52.35) 



The YES columns of the table denote termination proofs, whereas the NO columns denote found loops. 
That the numbers for YES and NO sum up to 786, shows that CeTA could certify every proof generated 
by T T T 2 . 

For the future we are eager to combine our attempts for a certification XML format with other ap- 
proaches (like the termination certificates grammar of Rainbow) to obtain a standard that can then be 
used by all termination tools. Further, since we are working with automatically generated code, it would 
be possible to combine our implementation with extracted code from other formalizations in order to 
obtain a more powerful certifier. 
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